28 December, 2006
I think it is a great idea and this is the season to give.
You can do it painlessly here. It doesn't even take any money for you though if you want to sponsor I am sure they would be happy.
If you have a Digg account Digg it.
If you don't then get a Digg Account and Digg it. Put it on Delicious or Slashdot whatever.
Spread the meme.
I generally try to stay away from the political stuff.
For some reason I usually manage to tick off everyone in the discussion when I get going on them. Conservatives hate it when I go on about civil rights or separation of church and state and Liberals hate it when I talk about the free market and my thoughts on gun control. For that matter the Liberals I know typically get ticked off about my separation of church and state thoughts as well.
I do generally agree with the instapundit.
I want a world where a happily married gay couple (liberal trust cue) has a closet full of legally obtained assault weapons (conservative trust cue).
To put it in less contentious words I always vote in the manner I believe will limit the power of government over the rest of us the most. No matter who the "us" is and no matter what the parties are.
Generally I manage to hit the anti-trust cue's for pretty much every group when I get political.
Now that I have aired some of my political dirty laundry I really don't think the Rago article was a political item. It has been treated that way in half of the blog sphere. It fits the Evil Liberal MSM guy hates us meme to well to be ignored.
The fact of the matter is most of the Old Media simply doesn't get blogs. I know some of them and have talked at length with them about blogs but they simply don't understand the implications (or the possibilities).
Look to use one of Mike Murry's favorite topics - game theory - Blogging and Old Media are not in a zero sum game.
When Rago is a moron and attacks thousands of passionate and intelligent people it didn't have the effect of harming any of those people. As a matter of fact it upped the traffic for thousands of sites. It created fervour and therefore exchange of ideas.
It probably didn't hurt Rago that much either. I am sure that article got more traffic than any of the others he has written. Fellow "journalists" will commiserate and pat him on the back. Bloggers will be outraged and write at length about him often with links that many will follow imparting him with a voice he never had until then. In short everyone won this last round.
Of course if he keeps saying blatantly stupid things and believes in them sooner or later people will just ignore him. Just like David Duke and Cindy Sheehan who can only make the news by rising to new heights of idiocy and engaging with people who have clearly identified themselves as our enemies.
There is a more healthy and productive way for the two environments to engage. If you want call this Crazy Idea #6.
Full time media outlets (lets call this one Bob's Newspaper) need to assign one or more "reporters" and "editors" to the blog beat (yes I know most have already). Their job is basically one of engaging new bloggers and convincing them to feed directly (in addition to their main site) to Bob's Newpapers online site (probably via RSS).
They don't try to exercise control at all. Direct Control is what is making them fail. They just try to contain the mosh pit.
The "editor" fact checks the posts that get the most hits and feeds the data to the "Reporters". The reporters us this data along with (can't believe I am about to say this) original research to write stories about the blog posts. Everyone wins. Bob's newspaper gets a huge amount of free data and reporting while still being able to hold the worst stuff at arms length. Basically hundreds of unpaid freelancers. If the reporter trashes a blog hey that is traffic as well.
Bloggers win because, lets face the truth here, most of us are hit junkies and check our stats constantly. They link to us and our stats go up.
The best "Editors" will keep track of the facts and who is right most often. They might even start up a Fact based rating system to give kudo's points to blogs that are consistently right.
Slashdot and Digg kind of do this stuff already with a few exceptions.
In Slashdot or Digg if what is written matches a popular meme it will do well regardless whether it is correct or not and you see a lot of gaming on the system using these gut reactions. By adding in a level of accuracy incentive things get better.
In any case D-Bunker ( I have to think up an easier nick name for his pseudonym) is right in that they (the MSM [conservative trust cue here]) are missing the boat in many ways. I am just not sure he was right about Rago's blunder really missing it. If Rago is smart he could turn this into a New Coke thing. Of course judging from his responses so far he isn't that smart.
I do most of my posts at home. I stage them then periodically post them during the day.
I haven't been able to get any time in on my home computer to stage any so the entire pattern has collapsed.
Anyway if you want to see what we were up to over the Christmas Holidays you can visit my wife's new blog.
Folded Gingham I have no clue what that means but she assures me that it means something in her circles.
Some good pictures of my kids there as well.
27 December, 2006
Taken together, I think Vista may have the ability to finally put a nail in many of the security problems that have been dogging Microsoft's reputation for almost as long as they've been writing operating systems. However, such power in the hands of the greedy may also prove their undoing. The use of Vista's security features to limit the use and re-use of content seems ominous to me. It also seems a bit scary that Vista demands signed drivers; and that Microsoft and Microsoft alone are the only ones who can hand out keys for such drivers. There won't be any open source drivers. Where does this leave small time Industrial Control Systems Integrators? I wonder if this is Microsoft's answer to Open Source Software --if it ain't signed by them, it won't run.
Going further, Vista seems focused in directions which may not be in line with current design policies of many control systems. According to Gutman, the security features it uses demand that video drivers be scanned every 30 milliseconds for certain "tilt bits" to verify that no "premium content" is being ripped. What does that do to control system performance? Does that reduce your Pentium Chip to something that runs at half the speed it had in previous OSs? Even if it doesn't, what happens if the the OS doesn't like your driver's behavior? It revokes the signature!
Remember all that stuff about embedded logic bombs? What if something a SCADA or DCS system does trips this? Do you trust the folks who write drivers to avoid all such problems? I don't. Are you ready to debug device driver minutia? I'm not. Somehow, given this permanent alternative, I'm starting to think that perhaps the Blue Screen of Death was not such a bad thing after all.
My verdict: Vista has some ugly features which will get in the way of any DCS or SCADA deployment. Not just now, but perhaps for many Service Packs to come (If Microsoft stays in business for that long). Microsoft would do well to heed the advice of Gutman and many others to temper their efforts at "managing content." I can smell what's coming next. Microsoft would probably like to deny their OS to most Open Source Software.
If they actually manage to do this, I tend to agree with Gutman: Microsoft will end up committing suicide. We'll see this once great firm shrivel up in to a shadow of it's former self. Those of us who depend on it in our Industrial Control Systems will be left with a bag of parts. Is this really where you wanted to go?
25 December, 2006
Yeah, we've seen lots of hard bitten Journalists lately. We've seen ignoramuses who couldn't detect blatently photoshopped images from their "photo-journalist" bretheren. We've seen people who selectively report what world leaders say. We've seen opinion and theories reported as fact. And they wonder why people hold them in such low regard? Wake Up Mr. Rago.
Meanwhile, there are scandals of world shaking magnitude brewing all around the UN and nobody sees fit to report on it. Remember Oil for Food? What about all the interesting dirt that Claudia Rosette dug up years ago and continues to research? Has anyone seen fit to follow up on it?
We're blasted daily about reports of global warming. What we don't see are the numerous studies indicating that the consequences may not be as rapid or as dire as first thought. For example, the polar bear population study on the cover of Time? That was one study of many. It was the only study showing a decline in polar bear population. Guess which one got reported?
Sensationalism sells. That's what's wrong with the decendants of town criers. Nobody likes to yell "All's Well." It's much more fun to scream "THE EARTH IS BURNING" at the public. By the way, I do not doubt that the earth probably is warming. I merely question the hysteria that surrounds this issue: a hysteria fomented primarily by your colleagues, Mr. Rago.
As for my credentials, well, I feel I'm far more qualified to report about a SCADA system than any wordsmith who calls him/herself a Journalist. Sure enough, my description may not be as concise and my language may be rough around the edges. However I will be far more precise and I will use the correct terms. Shall I get a ghost writer to mediate this stuff, or would you prefer to read about first hand?
Let me ask a similar question: Do we need to be certified graduate with a computer science degree to write good software? Go look on Sourceforge. Yes, there are some folks who could use help writing a decently stable program. But if there weren't some really talented amateurs out there I wouldn't be typing this 'blog on an open source OS and browser.
This is also true about scientists, engineers, lawyers, doctors, and so on. Yeah, there are lots of amateurs out there. Many do not know as much as they should. But they're learning. And so is the public. Among the literate, you'll often find that popularity is not a bad guide for who knows their stuff and who doesn't.
Wait, did I say Popularity? Well, I guess I did. It is the same gauge we use to see how well newspapers and magazines measure up. Mr. Rago, I think you need to consider the message buried deep in those unworthy 'blogs. They just might know what you do not.
You see, I think Marshall McLuhan was wrong: The medium is not the message. It's all about the information, stupid.
22 December, 2006
"they have also demonstrated a remarkable antidisestablismentarianist ecumenicalisticationism in filling out that same role themselves. Because we are enshrouded in a protective membrane of elastic latex, while they enrobed of visciduous mucilage, everything they say bounceth off of us, and sticketh to them."
We are one of the infinite number of monkeys in front of an infinite number of typewriters.
An iterative experiment in written expression
--- Oh I give up. There is no way I can keep up with him. My Sarcasm instinct just isn't that sharp. Just go read his post instead.
21 December, 2006
20 December, 2006
I guess this is good. I obviously tapped into a healthy meme seed but I do have a bit of a dilemma.
I am not really sure what I meant.
Well I am sure what I meant but I am not really sure how to articulate it. (wow doesn't that leave me an easy out in 08)
Every attempt I have made turns out to just be a small part of the whole. It is like trying to draw a hypercube on a piece of paper. All I wind up with is a bunch of weird looking triangles, rectangles and squares.
The way I used to look at security was as a sort of modified OSI model. (way back when)
Control Physical Access
Locked TC and DC doors, Building Access, Wireless Access Controls
Control Switching/Electrical Access
More Wireless access controls, Mac Filtering, NAC (if it ever works), VLAN’s
Control Routed Access
ACL’s, Good Subnetting (Yes I know a subnet doesn’t stop anything by itself, but if you don’t get the routing right everything else is harder), Proper DMZ/Extranet/Segmentation
Control of Application Connectivity
Firewalls, Tunnels, Some Proxy Functions,
Control of Sessions and early SoD
Session Segregation, Basic SoD, Identity Controls
Control of Data access and Presentation
Db Controls, Site/share/page access, More Identity Controls, Middle SoD
Application Controls and Control of data manipulation and metadata
Business SoD, Application Design, Business use of Application, More Identity Controls
This approach actually still works in many cases but it lacks a lot of essentials. It is almost purely tactical and has no self awareness. It also focuses too much on access control/preventative controls and not enough on mitigation and prioritization.
A lot of people who talked about the OSI model used to jokingly add a few more layers.
Politics, Religion, and Money
I am not so sure that is a bad idea but I would probably add a few more layers and call them:
Process, Policy, Governance, Compliance, and Money
in that order.
If you do that combined with the other layers it looks a bit like ISO 17799 domains doesn’t it? Well perhaps with some CoBiT Control Objectives thrown in.
There are a few differences though. Instead of interrelated overlapping domains you have sequential (potentially superseding) layers in both directions. These are layers where (for a given threat) you can show a certain level of protection. Multiple layers can be stacked for increasing sequential protection versus a threat from a given vector.
So let’s add these into the mix. Do they overcome the shortcomings? Well not completely. There is one thing still missing, visibility.
So feed visibility as a subset requirement into each of the layers.
As a quick example of that meme:
A firewall is valuable because it stops some attacks
If you are able to see how many attacks occur “outside” the firewall and compare them with how many attacks make it “inside” the firewall you have added value. The value isn’t directly added to the control that is the firewall. The value is added at the Process layer where an evaluation of the effectiveness of the firewall occurs and other controls can be used to mitigate the identified weaknesses. It might also be added at the Compliance layer where an organization might have to meet PCI requirements on proof of effectiveness of controls (specifically the firewall as a Control).
So what I was trying to say when I wrote:
“Vendors that are able to encompass the concept of measurable layers in security will emerge (or in the case of the few that are already out there will do well financially)”
Is that vendors that are able to add or combine either automated or easy to implement means of measuring effectiveness of the controls they peddle will add value.
Vendors that facilitate the process of not only tying controls to specific effectiveness but also representing the effect of overlapping controls on overall risk mitigation will add a great deal of value.
If you can demonstrably add value then you can make money.
That’s what I meant …
So now I am circling around to tag the originator of the chain letter.
In the DCS world there is almost no belief that anyone will ever be able to see systems let alone try to connect to them. When this misconception is combined with the difficulty (or for many systems the impossibility) of implementing access controls it is easy to see why there is so little protection in place.
BTW as a No Shitter submariner short
When I was going through Nuke training at Windsor Ct. there was a shift engineer that lived in Springfield Mass who was named Homer Simpson. I have no idea if he knew Matt Groenig. This is the honest truth. The big difference was that he was a pretty smart guy.
19 December, 2006
I want to make everyone aware of a looming deadline for the first round of comments on a draft standard from the National Institute of Standards and Technology (part of the US Federal Government) known as SP 800-82.
This document is a reasonably technical outline of various security measures. Except for a few glitches here and there, it's a very complete and well done document. However, there is one glaring piece missing: It's a very complete bag of security tricks and policies. But it lacks any reference to the most important element to any security policy: The operators.
I hate to say this, but I'm going to anyway: It's the Homer Simpsons of this world who really matter here. They're the ones who will have to work and live with the security mania. They're the ones who are just trying to get their job done as safely and expeditiously as they reasonably can. They're the ones we need to sell this stuff to, or it all falls on the floor.
Look for them in this document. These people are nowhere to be found. Sure, in the executive summary, they mention IT, they mention Control Engineers, they mention the CIO or CSO, they even mention the system vendors. But they make very little mention of the plant operators.
Clearly, NIST is working on this problem as if it's almost entirely technical, not personal. Is it really? Or are they trying to solve a human problem with gadgetry?
I think I will have a little fun with this one.
1. 30 percent of the predictions we make will be flat out wrong but we will conveniently forget that we made them. (or better yet read them in a way that makes them seem prescient anyway)
2. The only reason we do better than random on the accuracy of the predictions is because some of the items are so easy to foresee that my 13 year old pointed them out two years ago.
3. Something bad will happen in the next year.
4. Some good things will happen next year.
5. After pointing out only the items we were right on we will congratulate ourselves then make another series of lists next year.
ok now that the obligatory curmudgeonous has been done the next five will be a bit more in line with the intent
6. There will be one or more worms released targeting SCADA systems specifically and using vulnerabilities specific to them. Expect them to effect both Historians and some PLC's.
7. There will be several fairly significant outages related to SCADA security failures but they won't be publicly identified as such. Possibly even a huge one. (left myself some leeway on that one didn't I)
8. Organizations (regardless of the type) that downplayed or reduced the capability of their Information Security teams will pay significantly in terms of incidents, stupid and improperly configured controls, and lost opportunities. (Most of them won't admit it though)
9. Vendors that are able to encompass the concept of measurable layers in security will emerge (or in the case of the few that are already out there do well financially)
10. Improperly performed vulnerability scans on control systems will get several people fired (or close to it) They might even be related to #7. - This one is for you CNI Operator
Oh Yea # 11
11. My Kids will cost me a lot of money but be worth every penny.
I'll Tag Digitabond now. Give us your predictions Dale or your hair will fall out and you will be forced to rely on blog marketed consulting gigs for income. (oh wait)
18 December, 2006
17 December, 2006
16 December, 2006
15 December, 2006
14 December, 2006
When I was a wee lad I had to take part in a management training meeting. Of the week I was there I got only one thing of value (unless you count the pleasant and far too expensive stay at the Times Square Marriott and subsequent New York restaurant visits).
We did an exercise.
They divided the class up into about 10 groups of 4 to 5 people. They gave each group a bunch of 3x5 cards a few rolls of cellophane tape and a stapler with a bunch of staples (too bad it wasn't a Red Swingline) .
We had 3 minutes to plan then at the end of that time we had 2 minutes to build a 5 foot tall tower with our resources.
My team spent the three minutes dividing ourselves into an organized, highly efficient 3x5 card block creation assembly line and readying the floor space.
When the stopwatch started we started stapling the cards into small triangular blocks like good little assembly line workers. We made hundreds of them and passed them to our teammates who dutifully organized and stacked them. The leader circled the tower applying tape to hold the layers together. We were incredibly efficient, hard working, we paid attention to every detail and were ultimately unsuccessful.
Our tower got to be almost 3 feet high when they rang the bell. It was a pretty tower and we worked hard on it, but in the end it fell short of the 5 feet goal by close to half.
Two of the groups did succeed.
One of them strung out long strips of tape and slapped the 3x5 cards to them length wise. They crumpled these into three tubes then taped them together at the top. It only took them about 30 seconds to finish.
The second group had everyone on the team watch each of the other groups. When they saw the tube guys they imitated them. I think they probably finished in about a minute. Their strategy was obviously to imitate a successful strategy. After all the goal wasn't to be first it was just to get over 5 feet in less than 2 minutes.
When I first got involved in SOX compliance pieces, specifically the attestation process I felt either like the stapling person or (when I was in charge) like the group leader running around with the tape trying to hold the far too small (but very pretty and neatly organized) tower together.
Since then I have been through three successful audits at two different companies. One of which I helped manage.
13 December, 2006
Argghhh I can't help myself
I used it for several years including time I spent as a pen tester at an organization that did dozens of companies including large financials.
They have a great product and if you are a pen tester and not using it then you either:
- Haven't actually looked at what they have
- are arrogant think you know better than everyone else how to pen test and are ignorant of how much time and money you can save per test while at the same time improving consistent quality and therefore probably stiffing your customers
- think it is cost prohibitive and have not talked to them about the options
- Are new to the game and think Metasploit is the cat's meow or running a Nessus scan by itself is actually pen testing
- Just have never heard about it
It has a place inside a non pen testing organization or normal IT shop as well
- Improving credibility while pointing out vulnerabilities to sysadmins
- providing CYA because of its detailed logging of what it does
- Impressing the hell out of executives in IT and the business alike
- Eliminating false positives from vuln scans
- as part of a simplified process to ensure visibility of internal and cross boundary (read firewalls/DMZ/Segmentation) weaknesses (SCADA!!!)
- To pen test yourself for less cost (You can do it monthly even in large companies)
I have used it on Automated Control systems (SCADA) without causing any problem including Honeywell, ABB/Rockwell Siemens and Emerson. (with proper notification and management of change of course)
OK Blatant plug finished. Hey if something works and has helped me I like to tell others.
About 6 to 10 years ago ( I can't remember exactly when but suppose it was about the time of code red or NIMDA) I was staring at a pile of papers on my desk. They were a dump of that months syslog and were about 6 inches high. The log for the previous month was in my hand and was only two pages long.
We had set up a pretty useful system for tracking down people that were trying to hack into our company. Our Internet facing Cisco router served as the first layer of defense. There was an ACL that watched incoming traffic and dumped all but a few ports. For HTML we got fancy and looked for some rudimentary "signatures" (about 40-50 of them) that caught things like unicode attacks and a few other items. Next in line was a SNORT box. They would log these events then forward them to a DMZ syslog behind the firewall. We also forwarded our Checkpoint firewall (which was the next line of defense after SNORT) logs to that box.
I had some Greps cron'ed to run periodically and forward their results to our SMTP server using a little mail script I wrote. HELO, MAIL TO, MAIL FROM, DATA, egrep, EHLO. We had some Network General Sniffers that alarmed for certain specific types of traffic (mostly stuff that looked like scans) and forwarded an email to the same address. The system worked really well and had for several years. We would have about 2 or three false alarms a week and just a few real ones a year. We even managed to track a few of them down and got involved with authorities in the country they were in. (two convictions, one promotion [he worked for us in another country and was trying to fix things])
It all changed overnight.
Pretty much everybody reading this blog is a security professional that went through this. (or possibly a controls engineer that I suspect is about to go through it. Remember 8 to 10 year lag)
It started with the large scale automated scans. Usually some idiot that had gotten hold of SATAN, SAINT or an early ping sweep utility and didn't know how to use it right. (honestly these started several years before) They were irritating but you could filter them in your greps. Early versions of Nessus and other versions of NMAP and HPING were more irritating because they were harder to filter and the ACL would miss chunks of them.
Then the worms ate into our brain.
Within a month or two those of us that had set up automated detection mechanisms were buried under an indecipherable morass of logs. Since then we as an industry have gotten a lot better at designing filters and managing the information chaos. Through a combination of layers, good design, luck and major initiatives by IT vendors we have somehow gotten to an acceptable equilibrium with the worms (at least for now) but the root problem has never rally been solved.
Staring at that pile of paper I had an idea. The only people who could fix this was the users and the only organizations that could help them were the ISP's. The ISP's could help their users and make money at it at the same time.
I have dropped this idea for almost three years because ISP's started to give away AV for free but recent events have revived it for me.
It is pretty simple really. The ISP (or someone hired by them) watches for suspect traffic from their address ranges. If they see hints of it they watch that address closer. If it is verified that the machine is acting improperly they use their systems to tie the address to a user and then an email. They all have the data just in different formats it might be RADIUS, MAC registrations, Mail logins, Cable modem registrations or just access logs.
They then send a email to the user informing them that there is probably a security problem on one of their systems. If they go to this web site (linked in the email) and follow the instructions it can be cleaned for free. For a simple fee of $5 a month (added to their existing bill) they can be added to the premium security service that will help to maintain their system in a clean state. For $10 a month they can be added to the platinum service that includes additional services and advanced protections.
Think of it. It is targeted marketing to someone who definitely has a need. Probably someone who is ignorant of the product and industry but has been barraged with mainstream news panic stories so is primed to react.
The first objection I usually hear is "why would they open the mail, They'll think it's spam"
Hello!!! They are infected by a trojan or worm so they obviously don't have that great of a brain-email-spam-phishing filter to begin with. Plus the carriers never need to ask for credit cards or other information. They build trust with a well developed mail and clearly branded site. If they want to be careful they can verify any orders out of band. Any info security people I plugged this with years ago looked at it with a paranoid eye.
The user doesn't.
They are link lemmings.
Besides it is certainly possible for problem accounts to send an actual snail mail.
Next objection - Exploratory Cost
It would be somewhat different for every ISP but most of the time the start up system would be very easy and inexpensive. You need some kind of Honeypot or IDS to catch the bad traffic. Chances are it already exists. You need to write a simple app to verify what traffic is actually bad. An app to link addresses to users. A site with a web based AV and spyware scan (honestly just use the company that is already being given away free). And an email app. If it makes money from the start up design then expand it to meet the needs/demand. Most ISP's already have these pieces they just need to develop the offering. At the very least it would defer some of the AV costs at the most a tidy profit center in the long run.
Next Objection - Why not do it for free
Because it doesn't have to be free. Oh the ISP's should still offer the free AV items but if a user isn't savy enough to use it then they might like a premium service that take the brain work out of it. A simple agent (uh oh I said the A word) to make sure that the AV and anti Spyware apps are up to date and working well could do. For the premium service they might throw in shredding apps, child filters, weekly security popup tip (that can be turned off of course), utilities (semi optimized) and/or periodic human verification. Pick and choose the mix to compete with the other guys. Obviously the Free AV approach isn't working that well any more.
Next Objection - Invasion of privacy!!!
First they are already watching this traffic for troubleshooting and incident response anyway so at the most this will bring it to the users attention (which is arguably a laudable goal in itself). Second it is entirely possible to set this up using only a honeypot that has no other uses and doesn't originate connections. If they don't come to you then you don't look at their traffic. There would still be plenty of opportunities.
The ISP's make more money, the users have more secure systems, the rest of us have a slightly improved security environment at least until the next gen of the battle. Everyone wins but the illegal spammers and worms.
Just another crazy idea.
12 December, 2006
My son pipes in "that's stupid"
him "That's stupid. The guys with the big guns should never go first they'll get killed. Send the short rifles in first. Big guns stay in the back and cover. Everyone who's ever played Ghost Recon or paintball knows that."
He is thirteen.
When you combine that with one of Maine's favorite pass times - Potato Guns
and things like this
and I'm not sure if I should be scared or proud.
I guess I'll stick with proud.
and no this isn't some silly security analogy. It has nothing to do with SCADA security.
... or does it ???
:) Digg This
Your systems will eventually be scanned. If you do it yourself and start with Passive scanning then move with proper MOC to active scanning and remediation you will be ready for the ones you don't control, plan or know about.
I hope they are doing every piece right because there is a lot of room for error here.
For that matter the vendor might get everything fine and in this design it would be real easy to see a lot of customers mess it up.
They mention the word security "all in total security." once in their marketing blurb but I can't find any white papers at their site.
Show me the meat!!!
No search capability either.
Also I am pulling this up out of my comments section
"Jim, I would go further.. Eric is a truly genuine modest gentleman. He has the interests of the community at heart. Looking at the team he has assembled in his venture I am certain that his organisation will enjoy a great deal of success and the community will enjoy the benefits from his organisation's continuing research. The knowledge he share is helping to bridge the gap of Insufficient Training and awareness that exists in the industry. I wish every success to him with his appliance development project and eagerly await it's release into the market. Ron Southworth"
It is unusual for this many competitors, co-workers and customers to unify on a message but when it is the right one it makes sense.
It is pretty amazing the amount of detail it can provide. I suppose I'm not surprised, after all I do information security for a living but there is still something stark about how much useful and useless information can be gathered.
Google Analytics is pretty useful as well but doesn't provide some of the detail you can get with Statcounter.
For example even though this is an Information Security Blog I can tell you that more than half of you are using MSIE 6.0 or earlier and are not even close to having it currently patched. For that matter less than a third of the FireFox (the next highest usage browser that hits me) are on the current version. There is at least one Opera user that is always up to date on his (or her) updates. It is pretty clear to me that the Netscape updates are automated because when a new update goes out I instantly see it.
Although I can't tie any of the information to an individual I can get a decent idea of what they are like.
I have two regular visitors from Israel. One hits me at almost exactly the same time every day. It looks like it is breakfast or just after he gets to work.
I have a couple of regular visitors from India. It might be the same person on multiple different systems because they are from different providers but the same city.
One or more of my frequent visitors travels a whole lot. They must have a lot of travel points at Hilton and Wyatt because I have seen them coming from all over Europe, the US and Asia from pops from those chains or ones affiliated with them.
I have had visitors from over a hundred countries and returns from over forty.
Most of my visits come from the UK, Canada, Australia and the US but together they make up only about half of my return visitors.
About 2/3rds of my visitors spend between 5 min and 30 min a visit at my site.
Sorry if that was a bit off topic but I thought that some of you might be interested in what bloggers can see of you when you visit their sites. I hope this doesn't cause anyone to block me because I love reading the stats. It might be good to update your browsers though.
Welcome to the blog and remember Big Brother is watching (and keeping logs) :)
I actually do like them usually. Anyone who has heard me drone on will attest that I am always trying to find ways to make them empirical and evangelizing on their use in persuading managment. Still it is important to keep them in context.
11 December, 2006
I call it the "what if" argument.
When I was in grade school there was a kid that liked to push peoples buttons. He would ask questions like
"What if I threw your math book out the bus window?"
"What if some guy came up and hit you in the face?"
"What if I tore your arm off in hit you with it?"
Clearly he was a bit deranged. It is also pretty transparent that he used it as a means to intimidate and control others.
I pretty regularly run into this kid in the info security world in the form of completely unrealistic risk assessments and audit findings. I am sure that the motive is better hidden from the author of these writings but the goal just might be the same.
Still we should keep in mind that sometimes the wildly improbable happens.
"What if a Thanksgiving parade float almost kills you then a private plane crashes into your house?"
Am I just perpetuating an urban legend here?
His completed projects page will give you a good idea of what he has been up to.
The SCADA Information Security Community is a growing and I see more names entering it every day. I see many claiming they have been "doing SCADA security for a decade" (often more). Everyone claims to be a wizened sage or industry leader. It might be true for some of them but in reality the Ethernet and IP connectivity that has so greatly increased the operability and also risk of these systems has not been around for very long. I would view these claims with some scepticism.
Eric is one of the people that have been involved in it from the beginning. (demonstrably so, look at his papers) He has been involved in multiple industries not just one narrow clique and has actively provided working solutions.
This is obviously a blatant plug but it is one that I am proud to make and not being paid for. One that any company that is looking into fixing SCADA Security issues should pay attention to.
AND Gates on DNA. The process looks very involved but the new key I see here is that they can feed output directly into another calculation.
I imagine this could lend itself well to massively parallel computing.
Squeeze a few drops into a bunch of test tubes apply the filter gates for the thresholds. Wait for a few hours then sequence the output to find the next Mersenne prime. Diffie-Hellman look out.
I wonder what the key limiting points are for this.
The other interesting item was the manipulators.
The Singularity approaches.
I think it is great that people are paying attention to ensuring the reliability of their SCADA equipment. While I was at the oil company I saw at least one major (very major) incident related at least in part (there are always several failure that lead to major incidents) to a lack of proper power provisioning.
One Quick caution here.
Pay attention to the security and management issues related to UPS's when installing them. They are often managed by SNMP or other trivially manipulated protocols and some of the more advanced ones can serve as entry points. Linux is often the underlying OS and while this isn't a problem in itself, it does mean that periodic attention to patching and version maintenance should be maintained.
Finally keep in mind that this is another avenue for attack/failure if it is on an essential system.
UPS's for MES and Historians is a good way to ensure you maintain the ability to monitor operations when there is a failure in what is normally a non vital portion of the power system. The fact that these systems are often on the normal power grid is often overlooked. For PLC's and RTU's obviously a well engineered power structure is more important.
Another item to add to the periodic maintenance list - verify power supply fail over mechanism and settings thereof.
Good Comment by Jake. Jake you should drop a line to DCSSEC at Gmail.com
It would be nice to strike up an out of band conversation.
Ray (the author of this blog) didn't seem to read the content of the third article I linked to in my weekend RIAA post but did provide some good factual context.
"After years of cat-and-mouse legal games, Zennstrom, Friis and Kazaa settled with the music industry in July for $100 million. They've rid themselves of Kazaa ownership, selling pieces in a series of legal maneuvers."
On the other hand perhaps I didn't articulate the issues in the post properly. My point was that although they had successfully settled in at least one the major cases they were in, they are apparently still being harassed. (admittedly from a different direction) This bothers me. There is no way to tell for sure but it certainly seems possible that this is a coordinated action. I would love to see someone look into who the lawyers are in the class action that Ray mentions. Are they associated with the Record Industry? If they are at the very least this is distasteful and a further example of how they are being bully's.
It is a shame that the recording industry continues to harass its most dedicated and innovative customers. If these "advocacy" organizations did their job properly then the industry's companies would see their profit margins expanding exponentially along with the growth of the Internet. Instead they choose to sue and hide their head in the sand. This is causing them to loose a lot of money.
The thing I was really stoked on was that the founder of Kazaa has set his eyes on another venue. It should be interesting to see what happens.
10 December, 2006
09 December, 2006
08 December, 2006
This is getting disturbing
Like I said in my rant earlier this stuff is not easy to get ahold of at least not in the quantities we keep seeing. It is certainly possible that one contaminated individual spread it to all of these places. It is even likely that the reason that they are keeping the "witness" away for a bit is because they are worried that he is contaminated and it will be somehow detectable. (it would have to be a lot for an Alpha emitter to be detectable and just sloughing off to be swiped later).
According to information leaked from the post-mortem examination, Litvinenko died from a dose that could cost 30 million euros. This seems a bit too rich for a murder. - This seems to actually be very reasonable dosage estimate to me considering the rapid onset and the total bodily system collapse he had. To loose his hair from an alpha emitter in just a week would take a huge amount (radiological speaking).
To get this level of cross contamination of detectable levels of Polonium would take a nations involvement or some heavy duty terrorist type organization. The quantities would have to be huge (in terms of activity not mass or volume) To head off the normal anti US conspiracy buffs (idiots) the US (and all of the Western nations) tracks its contamination sources very well. There would be a easy to locate paper trail.
I don't usually get into politics on this blog or conspiracy but the radiological angle makes this one interesting to me.
and suggested that if a Russian intelligence agency had wanted to kill him, it would have been foolish to use polonium because its source could probably be traced. - The last part of this is partially true. Normally isotopes have a "fingerprint" that can be used to trace their origins. Polonium though makes this more difficult because it's final decay product is stable. If it is pure enough it probably couldn't be tracked and the minuscule amounts would make it even harder.
I think the Russian government is the obvious suspect but people should also be worried about his possible Chechen connections. I normally debunk the dirty bomb junk I hear but his possible connections to some radical elements (on both sides of the equation) and the presence of this much hard to obtain radioactive substance has me scratching my head.
I hope some really good people are chasing down all of the possible threads on this one because some of the potential implications are pretty scary.
In any case this was clearly all just off topic speculation. Interesting speculation but still just guess work.
07 December, 2006
A pressure switch trips at a certain predefined pressure. Its output is either on or off. They are used as warning devices for valve leakage, as integrated control sensors and as notification mechanisms for exceeding thresholds.
There are many different forms of pressure switches. The oldest is a simple spring resisted bellows that activates a physical switch when the spring tension is overcome.
A pressure bellows is used to measure a range of pressures with a certain level of granularity. They are used in meteorological equipment, to measure liquid levels in tanks and gas or liquid pressures in pipelines and storage facilities.
A pressure sensor has a bellows which compresses or expands in response to an outside pressure. The movement of the bellows typically moves a transformer core and alters its electrical coupling. This signal is converted from an analog current or voltage measurement into a digital signal and fed to the PLC or RTU. In some cases the PLC/RTU is integrated into the sensor itself in others it simply receives the output in a known format.
Thermocouples measure temperature and convert it into a voltage variance. They are used to monitor temperature remotely.
Thermocouples work by taking advantage of the differing electrical conductivity values of two dissimilar metals in contact with each other. Because different metals have a different electrical response at different temperatures they will form a potential difference at their junction point. This potential difference is measured. The voltage variance indicates the difference in temperature between the voltage measuring point and the temperature at the point that the dissimilar metals connect. Knowing these points of information allow the calculation of the temperature at the measuring point.
Valve Position Indicator
The simplest valve position indicator is a switch that is activated when the valve stem reaches a specific position. One switch is used for fully open and one for fully closed.
Repositioning of a transformer core is used in some implementations and activation of a traveling linked rheostat is used in others. These implementations can provide readings indicating a percentage of how open or closed a valve is. This is essential where the valve is used to throttle flow rate.
Fluid Flow Rate
Fluid Flow rate is usually measured using a Bernoulli gauge. For a given volume of flow with a smaller cross-sectional diameter path pressure of a fluid will increase. By measuring the pressure at both the smaller cross section and larger cross section and knowing the temperature and density of the fluid it is possible to calculate the flow rate.
I did this off the top of my head then realized
A lot of good stuff on Wiki
He ends it with welcome to my nightmare.
Ernie is a good guy and that would have been a fun round table to be at.
As I've mentioned before Invensys is one of the companies that "Get it".
But there is still a long way to go.
You can read the corrected and updated post here.
Passive Vulnerability Scanning - SCADA
I stand behind the rest of the items on the post.
I made a huge mistake in this post. N-Circle does not offer passive vulnerability scanning. Instead of changeing the content (which I don't believe in for other than minor spelling and gramatical items) I am leaving this at both ends of the Post. Once more N-Circle does not offer PVS. Tenable does and Mu is sort of a varient.
Ok I have confession to make.
I have been ignoring an entire dimension of the SCADA scanning discussion.
I have ignored it for two reasons.
1. It just isn't that fun because it doesn't generate as much of a conundrum to argue about.
2. The thread started with a discussion of active and I wanted to stress the overall importance of scanning vs not, even if it means some risk.
Passive Vulnerability Scanning (PVS) is essentially sniffing network traffic and using known characteristics to identify systems that are likely to have vulnerabilities.
The guru's will probably jump all over me here but it is basically matching network traffic signatures to likely OS's, Patch levels, and applications and then linking that data to vulnerability information.
It isn't that new. I was following some Snort items similar to this a few years ago. They were comparing the snort rules hits against know characteristics from a variant of NMAP's fingerprints (or maybe it was QUESO... Whatever) and using that to passively identify OS and patch level.
The key here (and why it is germane to the SCADA Scanning discussion) is that passive vulnerability detection does not require you to touch the vulnerable system at all. This means that there is no realistic chance of causing a problem on it. You set up a mirror port and sniff the traffic. That is the only impact to the PCN.
Let's be clear here there are some weaknesses to doing it this way.
- You only see systems who's traffic passes the monitored port so you can miss a lot depending on where you locate the sniff point.
- There is only so much data you can acquire about a system based on watching its traffic and not interacting with it (though admittedly this is a surprisingly large amount).
- It will have false positives (though there are mechanisms to weed those out)
- It is not nearly as effective at identification and verification actual vulnerabilities.
But it is nearly risk free.
If you work in a shop that realistically has no chance of using a scan to identify your weaknesses this is a very good option.
It is also a good option as a preliminary investigation method before doing more intrusive actions.
Those actions still need to happen (as a matter of fact they probably already are without your knowledge) but this can buffer both the political and real risk.
There are a couple of companies doing this and I have already mentioned three.
N-Circle has been doing PVS for a while and integrates it neatly with the ability to match it against what active attacks are occurring. - Not True
The differentiators in this field is likely to be the quality and quantity of the matching, the collation of their library to your specific needs, and ease of monitoring/management.
Tenable probably has a lead in the SCADA side of this because of their engagement with Dale at Digitalbond but N-Circle is leading overall. - I'll stand by the first statment I was flat out wrong on the second
I made a huge mistake in this post. N-Circle does not offer passive vulnerability scanning. Instead of changeing the content (which I don't believe in for other than minor spelling and gramatical items) I am leaving this at both ends of the Post. Once more N-Circle does not offer PVS. Tenable does and Mu is sort of a varient.
06 December, 2006
He quotes Hawking's virus statement.
There is already another form of life we have created and it isn't that bad. It consumes resources, reacts to stimuli, replicates, it facilitates maintenance of its environment, its organized, it even forms symbiotic relationships... with us.
With SCADA it is even has direct effect. With items like Google it might even be developing some basic self awareness.
It is about as smart as a mouse now but getting smarter.
I don't see why it would turn on its white blood cells.
I would love it if someone could get this post to Stephen. If everyone spreads the link perhaps he will. It would be interesting to hear what he thinks.
A bit of outside the box but fun thinking.
This reminded me of a conversation with Scott Blake one of my former CISO's.
He proved to me that even though I saved a couple of bucks a week in gas on my daily hour in each direction by driving 10 mph slower it wasn't worth it in lost time and productivity. Overall it was better for the environment for me to be more efficient.
I am a hybrid driving eco hippie but I still follow his advice.
(I suppose if I was a real hippie I would ride my bike to work or for that matter wouldn't live so far but I am not that crazy and no one can find a decent paying job in Maine right now)
Perhaps I'll do the veggie-diesel thing. Or This
A friend of mine at work drives one and it seems to work fine for him. Saves him a bit on fuel.
And yes I have worked for a paper company, oil company, and run a nuclear reactor and still consider myself eco-friendly. I've done more to improve the environment than ten dumpster diving brainwashed bozo's.
By Steven Smith
I don't recognize the name but not to bad of a paper. It looks like he has been doing this for a bit so we might have met and I just don't remember. Quotes from a number of good documents but some dentris as well. It won't break much new ground but good solid research. He quotes Eric (from ByresSecurity) a lot which of course makes me happy.
It is nice to see the meme spreading.
Feel free to drop a comment or an Email Steven if you ever read this post. We might have some friends in common.
Duh Now I know him he wrote the DSP Book. Should have realized sooner.
In comments Ross says
"The premise of the article is flawed; by analogy it would be similar to saying law enforcement is losing the war with robbers because the annual amount of stuff stolen is greater than the lock industry's revenue. "
He is right of course. To be honest this was a bit of a slacker post. I'd say it was below my standard but hey you live with what you do right. In any case the article still had some interesting tidbits even if the conclusion is wrong.
There has been a fair amount of traffic regarding the security issues of applications like the Google desktop on the IT side in the last several months.
Within the ACS SCADA world (Update to fix spelling) you should consider the implications of the desktops but also the Google appliances. These devices are being installed by many organizations to simplify everything from Intranet Website development to E-discovery. Like most Google products they are very good at what they do.
The thing to keep in mind with them is that they are web crawlers on steroids. They don't just hit HTTP they also chase down many other file sharing and transfer mechanisms. Look at the databases they crawl as well. They will find Windows shares. They follow links and scan address ranges to index and cache data. They can be configured to limit the extent of the scan but in many cases this is haphazardly done.
Many PLC's have http interfaces now and all of the Historians I know about have some flavor of Db.
This takes on particular concern when placed in context of our recent discussions on the possible impacts of scanning.
Scanning Vs Not Scanning
More Scanning - Be careful
Ramifications of Scanning
and keep this in mind when considering what Securosis had to say.
The good news is that the vendors are getting better at designing these interfaces to be resilient.
A number of religious adherents jumped to its defense.
My reply was basically, yes it can be used for good a tool is not in and of itself evil, but lets be honest it usually is insecure and used for less than reputable things.
They do have some good backing. They managed to Raise Money.
This is probably because they do have very innovative mechanisms of transferring data.
Something that I think would be interesting to see is a combination of Grid computing with file storage and transfer mechanisms wrapped with security layers that are easy for the end user to configure and easy for the user of the grid to use to protect their data.
05 December, 2006
A recent Wired Article spreads some light on the mechanisms the MPAA (and probably RIAA) uses to gain information on ISP customers.
If I was a lawyer defending people being accused of trading songs I would ask questions as to how exactly they obtained the IP addresses, MAC addresses and then most importantly linked them to individuals. From a technical standpoint these items are notoriously inaccurate, with changing processes and different mechanisms between providers. It is not that it cannot be done properly but if false pretenses are used to develop the data then a chance of error is much higher.
Of course most of the people being sued by these two organizations can't afford a lawyer.
So they are essentially assumed guilty and the evidence used to accuse them is obtained by at the very least questionable practices. Possibly illegal ones.
Let me be clear here. I strongly support the rights of people or organizations to choose what they do with data they own. If they want to lock their songs and movies down so tight that no one can reasonably watch or listen to them then I support their right to do so. I have not and will not steal music. I won't let my children do it and have taken steps to make it hard for my 13 year old to even try. I basically think that anyone who installs bit torrent, Limewire or any of the other p2p products on their home computers are essentially insane and asking for a problem of some sort.
Update in Comments on the "insane" statement.
If companies want to use legitimate tactics to track down people illegally profiting on their intellectual property then I support and would even help them.
If these companies want to irrationally impede even legitimate access to a product that they make money on by trying to get as wide a paying view as possible then more power to them.
They will go out of business in the long run. That too is their right.
I would, however, like to know how much money the RIAA and MPAA make on these essentially indefensible law suits. How much gets passed to the members? Any?
If I was a member of one of these organizations I would be asking why it is good for an organization that I pay to advocate for me to be suing my best customers and generating such consistently bad publicity.
I would also ask them how employing questionable or outright fraudulent activities has helped reduce my declining market share and profits. Activities that only recently resulted in the ouster of the CEO of a major tech company and a shake up of its Board.
Once more, for legitimate and warranted investigations I have no problem with this. It isn't hacking or fraud if you go to a company with warrant or evidence in hand. In the long run poor decisions and tactics hinder legitimate investigations. Real hacking and fraud are bad and usually illegal (the law is often one step behind) and should be treated as such by every reputable organization. If HP didn't teach that I don't know what will.
I saw some motion for establishing a class action against these organizations based on their methods. It would seem to me that there is a growing class of individuals out there that has lost a good deal of money based in part on deceptive and possibly illegal practices. I wonder if this would help or hinder that from occurring? Any Lawyers want to educate me?
This is a continued off topic rant from here
and from Rich here
The bad guys are now realizing that there is something here.
When I first wrote this fact more than 2 years ago it was new. Now I don't know how anyone could deny it. They have found SCADA plans with terrorists. In case you think this is a new phenomonon that is only occuring because of the current hype it was talked about back in 2002 with reconisence to back it up then and even before.
For some reason I keep running into people who say we shouldn't talk so loud about it.
Well two replies to that.
Worms and malware don't care what I say.
The real bad guys have known for years.
If you are involved in engineering control systems and you are not already developing a layered approach to security you will have a problem sooner or later. You might put it off by delaying getting scans to see how well you stand up or by stating that "we don't connect our SCADA systems to the IT network" but if you have IP connected systems (and more and more organizations do) sooner or later you'll deal with it.
It is best to deal with it in a controled environment.
The infrastructure that was necessary for distribution of music is essentially gone now. There was the typical flopping associated with the realization of the demise but in the long run the music companies can only hold off reality for so long.
There are great ways for them to make money still though. Apple has proven this with the Ipod though I would say it is at a hybrid stage. In order for it to fully mature they need to realize that people should be able to choose their hardware. This is a similar mistake to the one they made with the Mac long ago.
The other thing to remember is that smart marketing still works. As a matter of fact it works better now than ever. A good marketing campaign could drive a premium on the cost of songs even in a relatively free environment.
Here is a model (certainly not the model though)
Company XYZ offers songs for sale via MP3 or other. Even DRM could be OK if someone could figure out an easy way to make it portable.
Three price points. (let the prices float some to meet the market optimise for profit)
$.25 for older songs, Recovered songs (get to this in a bit), and lesser know artists.
$1.00 for standard run and first purchase songs.
$3+ for premium content.
Find similar balances with some discounts for entire albums (or ensembles since you are not limited to songs)
Company XYZ tracks everything the customer purchases (OK a bit big brother but the customer does have a choice and this will be a service)
If the customer wants to make additional purchases of the same songs (because he lost his player, or forgot to backup, or just wants duplicates, or whatever else) he gets the lower price.
The key here is easy. People will ask why anyone would ever choose to repurchase. My guess is that everyone reading this has lost dozens perhaps thousands of files (music or otherwise) over the years. The question is would you pay pennies on the dollar to recover all of them (or most of them) with one click. If it is cheaper and easier to recover with a service like this why bother taking the time to manually back-up. This would probably happen more than once a year for many (non tech savvy) people.
It is an additional revenue stream.
Marketing pushes the premium content.
Anyone who has seen my weekend posts knows I like watching yahoo videos (which are pretty close to free you just have to sit through the adds) .
My nerdy post is one of my most hit posts. (Not sure what this says about me or my readers. Sorry guys)
This and the cheap music IPod are two relative successes. The vendors need to let go of some of their inherent prejudices and learn from the items that have made these a success.
"Today it takes bands with an “installed base”, like BNL, to start cutting the cord. But MySpace and other sites show that our reliance on traditional sources for new music could easily decline."
This is absolutely true. Not only can it decline but it will and is already. If the big music companies don't wise up they will end up in an irreversible downward spiral.
People want a cheap, legal, easy and convenient way to get their entertainment. The big companies that leverage their marketing, existing content and talent to give people the easiest legal solution will make a fortune even if they charge next to nothing (especially if they charge next to nothing). The others will just go out of business.
Pretty good overview for a tech article in a normal Non-tech venue.
ATM's share quite a bit in common with ACS though I would hope they are in better shape from a security perspective.
They are often older tech. They are more difficult to update than other systems might be. Actual physical security is a mixture of both better and worse than typical IT systems. They are certainly closely watched but are often in an area where the actual owner has little control over the environment.
I am not an expert in these systems but would be interested in hearing from one.
04 December, 2006
The key is that for some phones it is possible to dial to them and turn them on without letting them ring. There are a lot of different ways to do it. In most cases (but not all) you have to have physical access to the device at least once.
Mike Larsen did some stuff on this back in the 90's I dug it up on packetstorm this weekend.
My Last gig was a major oil company. I spent a bit of time working with a few people in legal and acquisitions explaining this exact issue to them. Not because I was pushing it but because on more than one occasion it was run into. Always when overseas visiting a more ... lets say intrusive government. Actually several different countries.
It is more widespread than you might think. We caught it a few times usually when the other side was sloppy.